Solved: In a cluster environment, is it possible to make t...

constant69

Hello,

I have a Check Point cluster running R81.20.
This cluster establishes IPSec tunnels with several peers.

I would like to monitor the status of the different tunnels via the active member.

I just noticed that the SNMP daemon is not listening on the VIP.
Is it possible to make this SNMP daemon listen on a VIP?

Here are the details:
On my cluster, SNMP is listening on the interfaces below.

xxxxx> show snmp interfaces

Enabled SNMP Agent Interfaces are

eth5

eth9

xxxxx>

Here is the real IP address associated with eth5 as well as the VIP.

[Expert@xxxxx:0]# ifconfig eth5

eth5 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx

inet addr:10.1.0.254 Bcast:10.1.0.255 Mask:255.255.255.0

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:3450678212 errors:0 dropped:3132 overruns:0 frame:0

TX packets:3172616142 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:2039943960807 (1.8 TiB) TX bytes:1476745060960 (1.3 TiB)

Interrupt:44

[Expert@xxxxx:0]# cphaprob -a if | grep eth5

eth5 UP

eth5 10.1.0.252 VMAC address: xx:xx:xx:xx:xx:xx

An snmpwalk on the real IP associated with eth5 works.

[Expert@xxxxx:0]# snmpwalk -v 2c -c XXXXXX 10.1.0.254 .1.3.6.1.4.1.2620.500.9002.1.3.A.B.C.D.0

SNMPv2-SMI::enterprises.2620.500.9002.1.3.A.B.C.D.0 = Gauge32: 3

An snmpwalk on the VIP associated with eth5 does not work.

[Expert@xxxxx:0]# snmpwalk -v 2c -c XXXXXX -RO 10.1.0.252 .1.3.6.1.4.1.2620.500.9002.1.3.A.B.C.D.0

Timeout: No Response from 10.1.0.252

The netstat command below shows that the SNMP daemon is listening on the real IPs of interfaces eth5 and eth9.

[Expert@xxxxx:0]# netstat -anop | grep :161

udp 0 0 10.1.0.254:161 0.0.0.0:* 13462/snmpd off (0.00/0/0)

udp 0 0 10.2.3.252:161 0.0.0.0:* 13462/snmpd off (0.00/0/0)

Thank you in advance for your help.

Regards

the_rock

I dont believe that can be configured for VIP, as far as snmp is concerned. I would try set this up for both members, so regardless which one is master at any given time, it would always give the info for both members.

Best,
Andy

View solution in original post

Duane_Toler

No, because SNMP is a per-host operation. It is designed to monitor the status of things on the host. You can use SNMP to monitor operations of each cluster member as well as the Check Point processes (enable this in "cpconfig", option 2, and restart the services). If you were to monitor as the VIP only, then you would not be getting status of the standby cluster member, which you still need.

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack

View solution in original post

the_rock

I dont believe that can be configured for VIP, as far as snmp is concerned. I would try set this up for both members, so regardless which one is master at any given time, it would always give the info for both members.

Best,
Andy

JozkoMrkvicka

What is your idea to monitoring VPN over SNMP ?

Kind regards,
Jozko Mrkvicka

constant69

Hello,

The customer has many sensitive IPSEC VPN tunnels with partners, and the idea here is to monitor via SNMP the status of these tunnels using the OID .1.3.6.1.4.1.2620.500.9002.1.3.A.B.C.D.0, where A.B.C.D represents the IP address of a peer.

Regards

Duane_Toler

No, because SNMP is a per-host operation. It is designed to monitor the status of things on the host. You can use SNMP to monitor operations of each cluster member as well as the Check Point processes (enable this in "cpconfig", option 2, and restart the services). If you were to monitor as the VIP only, then you would not be getting status of the standby cluster member, which you still need.

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack

the_rock

Thats exactly what I thought as well, thanks for confirming!

Best,
Andy

Are you a member of CheckMates?

In a cluster environment, is it possible to make the snmp daemon listen on a VIP ?